Untitled Document
www.expresscomputeronline.com WEEKLY INSIGHT FOR TECHNOLOGY PROFESSIONALS
15 November 2004  
Untitled Document
Sections

Market
Management
Technology
Technology Life

Columns

Between The Bytes

Services
Subscribe/Renew
Archives
Search
Contact Us
Network Sites
Network Magazine India
Exp. Hotelier & Caterer
Exp. Travel & Tourism
feBusiness Traveller
Exp. Pharma Pulse
Exp. Healthcare Mgmt.
Exp. Textile
Group Sites
ExpressIndia
Indian Express
Financial Express
Home - Management - Article

CXO Accent

Synergising security

Mani Mulki

Both the security strategy and security strategist should rest on a tripod of people, process and technology. If the security policy does not have well-founded roots in these three, the strategy cannot be complete

The security strategist (SS) is one who can visualise the info-sec (information security) requirements of a business, then align a plan of action and implement a cohesive solution that will serve the business with least disruption.

Processes and policies

For example, a security system may include the best e-mail monitoring mechanism. However, unless it has processes and policies that determine what mails should be quarantined, the technology is inconsequential.

And processes and policies will fall flat if (for example) people don’t understand the need for anti-virus patch downloading—they may not treat the processes with the required importance.

The SS has to be well-versed with the technology. For any problem today there are at least a dozen solutions. The strategist has to identify the one that nails the business need and provides convenience to the users.

Typical skills

The typical skill-set required by an SS would be the ability to pinpoint the loopholes and vulnerabilities of the company and its systems. The capacity to assess the pros, cons and viability of solutions is important, as is a sound understanding of the business process.

The catch with IT solutions (and more so with security solutions) is that the benefits are indirect. It is for this reason that senior management resists investment in them. But there are two things that can sway the management decision: the persuasion skills of the strategist, and his credibility.

Changing minds

Convincing the management is a matter of approach. The SS should present a risk analysis instead of technology jargon. The decision-makers should have a clearly defined view of the loss in business resulting from the lack of security.

Consider a spam filter. If the management sees it merely as a tool to get less mail, they will probably not see value for money. But if the strategist can specify the number of man-hours that will be saved if there is less mail, and speak of the possible filtering out of viruses that could enter the system, the investment might make business sense to the men in suits.

As far as credibility is concerned, it cannot be established at the outset. Credibility has to be cultivated over time. One way to get it is to keep a track of viruses and disasters that competitors face, and their effects. Then report the difference in the wasted time and productivity between the affected company and yours. The threat perception should be concrete not only in the minds of the management but also employees in general.

That’s what counted for me, in the final analysis, for this award as well: the difficulties the SS faced in his efforts to convince the management, and the steps taken to mass-educate the employees. The most difficult part of security is to coordinate people and process, and a security strategist’s success lies in the ability to bring about a change in that.

A word of caution

Do not treat information security as a technology. A security investment cannot be weighed like other IT investments. You have to be very well versed with the threats rather than the advantages, and the threats should be very clearly presented to the management.

The author is head, IT, Godrej Industries

 


Untitled Document

UNSUBSCRIBE HERE
Untitled Document
© Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.